The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/984836
45 WWW.ILTANET.ORG Data Security is No Longer Optional In the past three years, data breaches have become commonplace, and firms have had to up their games to protect client data. It all started to come to light with the Panama Papers (the breach of Mossack Fonseca) in May of 2016. That year saw records breaches increase by 556% over the previous year as more than four billion records were leaked . 2017 was even uglier as the number of data breaches in the first 6 months alone exceeded the total for all of 2016. Equifax, the RNC, Uber, and Yahoo all were significant headline stories. Now, in 2018, the Facebook / Cambridge Analytica story shows there's no slowdown. More so, news that Mossack Fonseca will close proves that it's nigh on impossible to survive the reputational damage caused by such an incident. Regulatory response has been growing. The SEC and FCC were already on the prowl and enforcing to their extent of their power. Then, in 2017, the New York State Department of Financial Services (NYS DFS) cybersecurity regulation came into effect with a phasing-in of numerous, stringent security requirements that apply to all financial entities conducting business or with presence in the State of New York; many of its provisions explicitly apply to those institutions' law firms. Meanwhile, May of this brings into effect the European Union's long anticipated General Data Protection Regulation (GDPR) with its mandatory security requirements and global reach. Meanwhile, clients have been slowly pushing their own requirements onto their firms. Regular security audits have become a common occurrence and outside counsel guidelines regularly include specific provisions dictating where and how data can be stored, used, and protected. Simultaneously, the industry saw the emergence of the Corporate Legal Operations Consortium (CLOC) and its collaboration with the Association of Corporate Counsel (ACC) who last year released their Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information. These regulations and provisions in conjunction with client pressures and the various enforcement Will Need-to-Know Security Destroy KM? FEATURES mechanisms being used essentially have established a standard of care for handling and protecting client data. One of the key common denominators and requirements of those is the expectation that law firms will limit access to client data. The most sensible and defensible approach being to lockdown access to client maer files to only those in the firm working on the maer – or who may reasonably require access to that data. This means that only those in the firm who a client authorizes should have access to that client's data; this is commonly referred to as 'need to know' access. Major Shift in Thinking Needed? Knowledge Management in a law firm environment exists to leverage and share the collective expertise and experience of a firm's professionals to more efficiently deliver services to clients. Historically, this has been accomplished via open access environments where everyone had access to everything content related. Firms invested heavily in document management systems, SharePoint sites, enterprise search – and encouraged people to share. This concept, at its very heart, is the antithesis of security in a time when one compromised credential can bring down an entire organization. Firms must now fundamentally change this entrenched practice that has heretofore enabled everyone inside the firm to access every clients' sensitive documents – not an easy change when lawyers are accustomed to relying upon prior work product as the basis for new work product. Many firms appear loathe to comply with these new mandates, choosing to ignore them or make excuses for why they needn't follow suit. Their concern? They worry that locking down and limiting access to content repositories will kill knowledge sharing. They express concern that taking away the ability to search for and access others' prior work product will harm operational efficiency. They have always had access, and many have built knowledge management departments, systems, or processes dedicated to helping locate and share that content. To try and create new workflows or re-learn process cannot possibly be the intended consequence. BEN WEINBERGER Ben Weinberger is Lawyer-in- Residence for Prosperoware, an enterprise software company providing solutions for law firms, corporate legal departments, and professional services firms, and speaks on such topics as Data Privacy and Security, Information Governance and Emerging Technologies, and Transformational Trends in Professional Services. Ben has previously served as Chief Strategy Officer for a global consultancy, in senior executive roles for a top UK law firm and two AmLaw 200 law firms.